Missing User Warnings
Medium
- Confidence
- 97% confidence
- Finding
- The skill documents and uses a hardcoded default API key, which encourages use of a shared embedded credential and risks unintended disclosure, abuse, or quota exhaustion. Even if the key is intended for convenience, embedding credentials in distributable skill content is insecure because users may unknowingly transmit requests under a credential they do not control.
